You may think you know HIPAA compliance through and through, but giving it a deeper look will help elucidate the finer points of this somewhat ominous regulatory act that governs not only the principle handlers of medical data such as Protected Health Information, or PHI (also ePHI, or electronic PHI), but also the defined business associates of those healthcare facilities as well.
Here are the five main “gray areas” of the HIPAA compliance verbiage, designed to help you as an enterprise owner be fully aware of any and all fine print:
- HIPAA doesn’t affect only the healthcare industry. HIPAA rules actually apply to any entity that directly handles protected health information. Some common examples of “primary” HIPAA-covered entities include healthcare providers such as hospitals and doctors, health insurance providers, and clearinghouses. However, problems arise when organizations conclude that because they do not explicitly fall into one of the covered entity categories as defined by HIPAA, they do not need to concern themselves with HIPAA compliance.
Actually, the definition of a “covered entity” or Business Associate (BA) is fairly broad, and the rules apply to a wide range of organizations from many different industries. For example, many organizations are affected by HIPAA by virtue of the protected health information (PHI) they hold in the form of employee group health plans. This issue was highlighted in The 2015 Protected Health Information Data Breach Report by Verizon, which linked roughly 20 different industries, in addition to healthcare, to a PHI data breach.
- What exactly defines a Business Associate under HIPAA? A Business Associate (BA) is defined as “an organization or individual working in association with, or providing services to a covered entity that handles PHI”. Some common BA examples include:
- Data storage or document destruction companies
- Data transmission companies or vendors who routinely access PHI
- Third party administrators
- Billing entities
- IT contractors
- Personal health record vendors
- Lawyers and Accountants
- Malpractice insurers
- When does information not constitute PHI? While private patients’ health information should be protected at all costs, there are occurrences when PHI may be made available to the public. HHS states that in recognition of the potential utility of health information, even when it is not individually identifiable, a section of the HIPAA Privacy Rule allows entities to use information that is not individually identifiable by following the de-identification standard and implementation specifications in section §164.514(a)-(b).
Essentially, these provisions allow an entity to disclose health information providing it does not form a basis to make an individual personally identifiable. The National Center of Health Statistics is a good example of a data source that publishes de-identified health information.
- The addressable areas of HIPAA safeguards are “non-negotiable”. These areas fall under physical, administrative, and technical categories. Under the technical heading, they are broken down into 6 sub-categories of relevancy, including:
- Access Control – Unique user ID required, Emergency access procedure required, Automatic logoff (addressable), and Encryption and Decryption (addressable).
- Audit Controls (required) – Procedural mechanisms must be in place that record and examine activity within ePHI-containing databases.
- Mechanism to Authenticate PHI Integrity (addressable) – Makes sure ePHI is not altered, destroyed, or used in an unauthorized manner.
- Authentication (required) – Verification procedure for accessing ePHI
- Transmission Security, Integrity Controls (addressable) – Security measures that ensure transmitted ePHI is not improperly modified until disposed of.
- Transmission Security, Encryption (addressable) – Establishes an encryption mechanism for ePHI wherever appropriate.
- The varying penalties for non-compliance. The differing penalties for HIPAA non-compliance violations are broken down into civil and criminal punishments. The minimum penalty is determined by the person not knowing what they were doing while “exercising reasonable diligence,” incurring a $100 penalty, and up to $25,000 for repeat violations. Maximum penalties include those for egregious, willful conduct in violating HIPAA regulations. Willful neglect, it should be noted, can include lack of proper (or uncorrected) security and safety measures, with penalties of $50,000 up to $1.5 million per violation in fines, and, in criminal cases, from 1 to 10 years in jail, depending on the severity of the case.
Need Help Staying in Compliance?
If you need help staying in regulatory compliance, Puryear IT is a proven leader in providing IT consulting and cybersecurity in Baton Rouge. Contact one of our expert IT staff at (225) 706-8414 or send us an email at firstname.lastname@example.org today, and we can help you with any and all of your IT security needs.